ansible operator reapeating tasks twice?

[ricosega]

Question

Why the operator is repeating the task twice?

What did you do?

Created a new crd and in the tasks doing some steps:

• create namespace if does not exist
• create a kubernetes object (external secret) this causes repetition

What did you expect to see?

I want the task to be done once.

What did you see instead? Under which circumstances?

The task repeated.
First time it creates the namespace and creates the object externalSecret.
But it runs again from the beginning.

Environment

Operator type:

Kubernetes cluster type:
EKS 1.25

$ operator-sdk version
operator-sdk version: "v1.27.0", commit: "5cbdad9209332043b7c730856b6302edc8996faf", kubernetes version: "1.25.0", go version: "go1.19.5", GOOS: "linux", GOARCH: "amd64"

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.3", GitCommit:"434bfd82814af038ad94d62ebe59b133fcb50506", GitTreeState:"clean", BuildDate:"2022-10-12T10:57:26Z", GoVersion:"go1.19.2", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"25+", GitVersion:"v1.25.6-eks-48e63af", GitCommit:"9f22d4ae876173884749c0701f01340879ab3f95", GitTreeState:"clean", BuildDate:"2023-01-24T19:19:02Z", GoVersion:"go1.19.5", Compiler:"gc", Platform:"linux/amd64"}

Additional context

Is not the only case when adding this part of code "create externalSecrets" that causes the task to be repeated twice. But tried removing all the tasks and leaving the minimum when it starts to do this behavior.
Below you can see it:
https://gist.github.com/ricosega/ba9d35904af8e9329de16c7853543be2

[everettraven]

@ricosega Would you be able to share your watches.yaml file? My suspicion is that you are somehow watching secrets so when your playbook runs and creates a Secret it triggers the reconciliation again.

[ricosega]

hi @everettraven,

here is my watches.yaml

---
# Use the 'create api' subcommand to add watches to this file.
- version: v1alpha1
  group: deploy.lab
  kind: Laboratory
  playbook: playbooks/laboratory.yml
  manageStatus: False
  watchAnnotationsChanges: False
  finalizer:
    name: deploy.lab/finalizer
    playbook: roles/laboratory/tasks/delete/laboratory.yaml  
#+kubebuilder:scaffold:watch

Just to give you more overview, the operator manages creating labs, so it creates needed kubernetes objects and also some infrastructure.

[everettraven]

@ricosega Thanks for sharing your watches.yaml! I think the problem may be that by default the ansible operator injects owner-references on resources created during reconciliation and will automatically establish watches for them. This can be configured by using the watchDependentResources field for a watches.yaml entry. For more information on this, see the documentation here: https://sdk.operatorframework.io/docs/building-operators/ansible/reference/dependent-watches/

I suspect that if you disable the dependent resource watches that you will no longer see the reconciliation triggered a second time

[ricosega]

@everettraven that was the cause!
would it be possible to remove this owner reference for specific object without losing the watchDependentResources feature for the whole CR?
I can't see how to do it.
https://sdk.operatorframework.io/docs/building-operators/ansible/reference/retroactively-owned-resources/

[everettraven]

@ricosega Apologies for my severly late reply. I don't think it is possible to only remove the injected owner reference for a specific object, but I do think you could configure a watch on individual resources you want watched to trigger the same playbook.

[ricosega]

well the "watchDependentResources" solved our problem, thank you @everettraven for your responses.